FIDO Application and Nevis Components
This document describes how the notions of Application, AppID and Facets are applied in the context of NEVIS component level. Concrete examples of these concepts can be found in Deployment Scenarios.
AppID in Nevis Mobile Authentication
The applications, represented by the AppIDs and the Trusted Facets in the Nevis Mobile Authentication solution can be summarized in the following statements:
- One nevisFIDO Application instance supports exactly one AppID.
- Each of the FidoUafAuthStates defined in nevisAuth can connect to exactly one nevisFIDO instance and thus supports only one AppID.
Because of the trusted facets concept, multiple applications can be protected using one nevisFIDO instance - as long as they are trusted facets of the defined AppID.
- Because policies are bound to one nevisFIDO instance and thus to one AppID, policies for different client authenticators require different nevisFIDO instances.
- A FIDO credential of a specific user is bound to exactly one AppID
If a user wants to authenticate in different applications, she needs different FIDO credential for each application.
Multi-client Mode in nevisIDM
The nevisIDM backend used for authenticator credentials supports two distinctive operation modes, single client and multi-client mode (also referred to as multi-tenancy). It is important to understand the differences in relation to the applications concept of nevisFIDO.
The multi-client mode of nevisIDM allows to define separate sets of identities. This allows several applications to use the same nevisIDM instance, while each application has its own identities and FIDO credentials. In nevisIDM terminology this means that each application uses a separate client.
This is an extremely simplified explanation of the multi-client mode and does not tackle the different aspects and configuration options of nevisIDM in a comprehensive way. Refer to the nevisIDM Reference Guide for detailed explanations regarding multi-client mode, organisational units, profiles and all other more detailed concepts of nevisIDM identity management.
Relationship of AppID and Multi-Client Mode in Nevis Mobile Authentication
The concept of applications (represented by the AppID) shares no direct relation to the multi-client mode of nevisIDM. Although applications can be regarded as separate clients, a tight coupling between the concepts does not exist.
However, there are implications if nevisIDM is configured to run in multi-client mode which have direct impact on the functionality and configuration of the nevisFIDO component.
One nevisFIDO instance can only support one nevisIDM client as the client ID is part of the instance configuration.
This leads to the restriction that one application requiring authentication of users with multiple tenants needs several nevisFIDO instances (at least one per client ID).